With the large volume of malware (e.g., viruses, worms, Trojans, etc.) in circulation, anti-malware software is an important line of defense for computer systems. One avenue of attack used by some malware is for a malicious process to inject malicious code into an in-memory process on the target computer. In other words, rather than infecting a file on the disk of the target computer, the malware infects a process that has been loaded into the memory of the target computer from a local file. This technique enables the malware to infect the target computer without the malware itself having an on-disk presence. Since a lot of anti-malware technology works by scanning files for malware signatures, malicious code that does not reside in a file on disk is difficult to detect. Making it even harder to detect such malware, the malicious process does not always infect a process that is already in memory, but instead loads into memory an executable image from the disk, e.g., a Portable Executable (“PE”) file in the case of Windows, an Executable and Linkable Format file (“ELF”) in the case of Unix-line operating systems, etc. The malicious process then adds malicious code, or replaces existing code with malicious code, thereby infecting the target in-memory process.
Attempts to detect this type of attack have generally taken the form of tracking behaviors of programs, and trying to identify those considered to be indicative of suspicious in-memory process modification. A program that engages in a requisite amount of such behavior can then adjudicated as being potentially malicious. However, malware authors intentionally evade such detection techniques, by obfuscating, modifying and/or avoiding behaviors that are considered indicative of malicious in-memory image modification.
It would be desirable to address these issues.